Non-privileged user can query constant value (NO any of field(s)) from table
for which he has no rights. This mean that he can know number of records in
that table.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Key: CORE-4985
URL: http://tracker.firebirdsql.org/browse/CORE-4985
Project: Firebird Core
Issue Type: Bug
Reporter: Pavel Zotov
SQL> create or alter user john password '123';
SQL> create table test(id int);
SQL> set count on;
SQL> insert into test select row_number()over() from rdb$types rows 7;
Records affected: 7
SQL> commit;
SQL> revoke all on all from john;
Warning: ALL on ALL is not granted to JOHN.
SQL> commit;
SQL> connect '/3333:e30' user john password '123';
Database: '/3333:e30', User: JOHN
SQL> select count(*) from test;
Statement failed, SQLSTATE = 28000
no permission for SELECT access to TABLE TEST ----- OK, expected
SQL> set count on;
SQL> select 1 from test;
CONSTANT
============
1
1
1
1
1
1
1
Records affected: 7 -------------- ?? Why he can know result of COUNT(*) using
this way ?
WI-V3.0.0.32136
PS. May be this is not a bug, but IMO user shoudl not have *any* knowledge
about such table, even about number of rows in it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
